Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

This site's "Your Rights Online" section, sadly, has never suffered for material. The revelations we've seen over the last year-and-change, though, of widespread spying on U.S. citizens, government spying in the E.U. on international conferences, the UK's use of malware against citizens, and the use of modern technology to oppress government protesters in the middle east and elsewhere shows how persistent it is. It's been a banner year on that front, and the banner says "You are being spied on, online and off." A broad coalition of organizations is calling today "The Day We Fight Back" against the growing culture of heads-they-win, tails-you-lose surveillance, but all involved know this is not a one-day struggle. (Read more, below.)

tester dataTHREE REASONS TO HATE MASS SURVEILLANCE:

1) Because the Internet is nearly everywhere, it means the spying it makes possible has spread to match its footprint. 30 years ago, "on the internet" really was novel, because the public Internet simply wasn't. There were a few big military and academic sites around the world, and the concepts that make today's internet work were already embodied in running systems, but there was little reason for individuals to care about privacy invasion, or having their systems crippled by government malware, because their systems and their privacy weren't at issue. There wasn't a World Wide Web as a portal to nearly every resource online, no "Cloud," and no Blue Coat. Now, not only can individuals get on the internet, but the meaning of that phrase has moved, fast, over the last decade: now, getting on the internet is just a fact of modern life, a banal, automated background fact of the way we stay in touch with friends, deal with bills, find entertainment, get directions, and work. Online surveillance of all the signals we emit and receive (over home internet links, over cellular networks, on landline telephones, even on postcards) might be minimized and waved away as the collection of "mere" metadata, but in reality, if you're reading these words online, and even if you're doing your best to read them anonymously, it means you've almost certainly got a collection of data about you online already.

2) Because "online surveillance" is a slippery slope, and it will only get slipperier. Remember the Clipper chip's hardware-based encryption escrow scheme? Who and how often you email, chat with online, or call on the phone is the tip of the iceberg. Robert Bork didn't like having his video watching habits spied on, and that was before Netflix and competitors made the sorting and stacking of movie-watching habits not only possible but an never-ending exercise in deep data analysis. Maybe you don't care in particular about what the NSA, FBI, or anyone else thinks of your taste in entertainment, but you might prefer them to stay out not only of the information revealed by your current online activity, but also out of whatever things are revealed by future developments. Right now, a relatively small part of the online population uses crypto-currency like Bitcoin; a decade from now, it seems likely to be even more widespread than Netflix is today. Do you want your transactions to be public record, or even public-servant record? Beyond that, the era of ubiquitous, automated surveillance doesn't need you to mail an angry letter, or declare allegiance to an unpopular cause online: Just walking around means sooner rather than later you're likely to be captured on camera.

Access to your medical records almost certainly will be online, too, even more than it already is. Online and offline lives will only get blurrier: Your GPS (and increasingly, that means your phone, too) knows where you've been, and your should-be-private Google Maps page knows where you might have considered going. (Couple that with the cavalier attitude that dominates rules about data that you carry in your phone, laptop or USB data sticks, if you cross, or even come near, the U.S. border.) Think about the meta-data (or what the government might characterize that way) that your reading and viewing habits, your prescription medicine needs, your airline tickets, and your Amazon wishlist could reveal, and whether you'd want everyone's digital dossier to be up for ad-hoc scrutiny in 10 years any more than it already is. You don't want the equivalent of the TSA viewing rooms (for your own good, of course) attached to every stream of online communication.

3) Because you're paying for it. How much you're paying is hard to say, because of black budgets, overlapping programs, and the sheer number of systems that are or could be used to make widespread surveillance the new normal, but the mystery price tag starts out high. If you're an American, or an EU citizen, at least you can be grateful that you're likely only being spied on, rather than actively harmed in other ways; in other countries, the outcome can be far grimmer. How much do you want to pay to build an infrastructure for constantly surveilling yourself, your friends, and your family? Especially one that fails so miserably at even its stated aims?

THREE WAYS TO FIGHT IT:

The good news is, while you can't stop the entire octopus, you're not required to be a full-time victim of online surveillance or the offline surveillance that it seems to normalize. Instead, you can take some simple steps that at least fog the glass a bit. Readers will no doubt suggest better technologies and practices, but here's a short list to start with:

1) Encryption, more often and in more contexts. Encrypted hard drives are now easy to buy off the shelf, or to implement with software per-user. Use encryption when it makes sense, for documents, emails, file systems, or browsing; the more you do, the more normal this becomes — if it's perfectly normal to carry data encrypted, no matter how innocuous, it's hard for merely possessing encrypted data to be vilified. TrueCryptmight not be impregnable, but neither are the opaque envelopes you might put in a physical mailbox: making it harder to spy on you even in small ways beats indifference. Good news: not every layer of security takes much effort for you to take advantage of: Mozilla's move to HTTPS Everywhere is an example, as is the option that many OSes are embracing to offer the user full-disk or per-directory encryption.

2) Avoid standing in front of the biggest targets. If you don't yet, use an operating system like Linux or one of the modern BSDs, at least part of the time. The SCADA vulnerabilities exploited to cripple a key part of Iran's nuclear program exploited a well-known hole in a widespread operating system, and the same can be said of many attacks blandly characterized as "Advanced Persistent Threats." Even a cheap, adjunct laptop running an up-to-date Linux or OpenBSD could make you safer for some tasks online; cheaper yet, you can run an entire Linux system from a USB drive, and yank it when you're through. That doesn't stop a mid-stream listener (which is a very hard problem), but a compartmentalized system like that means you can do your online banking or anything else and be less vulnerable to common malware. (Besides, it's fun!)

3) Tell companies, politicians (for instance, by voting for or against), and the people around you, that you object to being spied on. You can't prevent malicious individuals, governments, (or Google, or Yelp, or your Facebook friends) from looking at some of the data that you emit; you might feel perfectly satisfied with lots of the transactions you take part in freely. But you can minimize the worst consequences by being mindful of what you do or don't mind putting out there, and spreading the word when you find abuses of trust that compromise your privacy.

Online spying didn't pop into existence with Edward Snowden's revelations about mass data gathering by the NSA on U.S. citizens. For Americans, having our communications tapped by government agents (even if by a government that has remained far more benign than have many others) extends as long as the history of the country; likewise for Europeans and others all over the world. It's much easier, now, though, for those agents to put an ear to your wall or an eye on your correspondence than it's ever been before. For those in many countries, taking practical steps to reduce your exposure is a sensible move for more than just aesthetic or philosophical reasons, though, and luckily the range of options for preserving privacy and private communications have advanced right along with the growth of the technologies that threaten them.

They can detect the "random" activity, and isolate it. You are not making the right fog, and they have ways to see through it.

A better way would be some protocol that works like bitcoins to share someone elses anonymized queries, and makes you look exactly like them for a little while, then switches it up. They might "poison the well" but if even a medium sample of people is using the method, it will make a fog that makes automated clustering and cla

Theoretically, but in reality, anything that looks too suspicious has to be investigated. Otherwise, if someone who actually wanted to build a bomb knew that fake data was discarded, they just run 10,000 random queries in the exact same manor as the few real ones they need and easily hide their intent. Or consider after a terrorism indecent, the report on why some beyond-obvious activity wasn't caught, "Well, they looked too much like terrorists, like they were some caricature perpetrated by someone trying to troll us so we ignored it."

Also, I know for a fact that once you check so many boxes, They have to come do an investigation. My random e-mailer pissed off the secret service right after 9-11*. Though in that case, my service provider passed on the unusual activity when they noticed I got their domain blacklisted by Yahoo for spam email; I wasn't caught by NSA spying.

The question you would be asking anywhere but slashdot would be: "why did you do that?" And the answer would be: in a course I was taking at college, internet monitoring came up, and I single handedly argued against the whole class and teacher that They would not show up for a few emails with the word bomb. So I went home to prove the class wrong and maybe the class was kinda right.

Your idea sounds really cool, kinda like what TOR does but more-so. I just wanted to point out that random activity does get noticed. Your welcome to try your own experiments though!

Nothing is random. Humans are crap at random. Makes me wonder why we think we are intelligent. We are good clocks - that makes our thought mechanistic.

We are consistent. So the "get someone elses version of normal and play it yourself" is really a good way to hide. When tested against computers which make okay random, or some advanced/expensive stuff that makes actual random this approach makes us look nearly exactly like a real human.

Based on some evidence the big dogs of old school organized crimedecided instead of fighting the government they could puppeteer thegovernment and that has been going on for decades in multiple nationsthat "falsely believe that they are free".

Watch the film "Hacking Democracy"

None are so hopelessly enslaved, as those who falsely believe they are free. The truth has been kept from the depth of their minds by masters who rule them with lies. They feed them on falsehoods till wrong looks like right in their ey

I think this is one add-on that Mozilla should incorporate, or at least heavily promote to encourage people to use it.

And develop a long term strategy to put crypto in all comms - e.g. use response headers from servers to push requests over to https where they are supported. Better yet produce an https+ which allows sites to use unsigned keys, CA signed keys, or even web of trust signed keys and present that info to the user in a meaningful way. Get rid of the CA tax and there would be far less reason for sites to use plain http any more.

It is a valid reason. It's a hassle to get a CA to bestow their worthless signature on a cert and to do this year in and year out just to make some silly browser warning go away. And doing this every year forever after. Even if a CA was a well known name and boiled signing down to dragging and dropping a cert onto a box to receive a signature it would still be too onerous.

Why can't Apache just generate a cert when it installs and sites can go off and use that? Ah you might say, it doesn't protect against man-in-the-middle attacks. But it's still better than plain text and it's still sufficient for many sites that want crypto to be on by default. And browsers could store the fingerprint of the cert if they wished and add-ons like HTTPS Everywhere could collate these fingerprints to look for attacks (they already implement this in something called the SSL observatory).

AND it wouldn't stop certs being signed if users wished. For some people, a CA may still be a meaningless signatory and it has its own security problems. Why can't the likes of Google, Amazon, Microsoft hold a key signing party? Would you trust Amazon's signature more if it was signed by Google? I would. And it would be hard to forge certs because there could be multiple signatories and each signatory could have their own. That's a web of trust and scales.

CAs can still be signatories in a web of trust but the existing model where certs MUST have a single CA signature is broken.

Who says a browser has to show a padlock for an unsigned cert? It could be presented the same as plain http but if someone was interested then clicking on the site icon might drop down a box with a simple checklist which says the link was encrypted, the fingerprint was validated with EFF (if SSL observatory is enabled) but it does NOT authenticate the other end OR guarantee protection from man in the middle attacks. A signed cert might show more info, e.g. trust based on the distance to an ultimately truste

The crypto weenies over on metzdowd.com seem to think HTTPS is currently a badly broken security layer that gives users a false sense of security. There are a number of suggested fixes, however.

My own pet peeve is that we don't even protect our passwords properly. My ssh id_rsa password protection is a joke: literally a single round of MD5 by default. My TrueCrypt password is protected a bit better, but with custom ASICs, a thousand rounds or so of SHA-256 runs so fast it's not even a significant part of the password guessing latency. I got so POed over this issue,that I've submitted my own password hashing entry in the Password Hashing Competition [password-hashing.net]. Fortunately, there are guys way smarter than me working on this specific problem, and in a couple of years we should have a far better password protection solution. In the meantime, someone should do friendly forks of TrueCrypt and OpenSSL and incorporate Scrypt as the default password hash for user-land encryption (as opposed to servers that may have to run thousands of hashes per second).

The advice to use more encryption seems sounds, but most of us geeks here on slashdot don't even know how weak our own password security really is.

Joe Six Pack, who is most of the nation, doesn't care. He doesn't care if the government is listening to his phone calls or spying on his email because it doesn't affect his ability to put food on the table or a roof over his head or provide for his kids or pay for his car to get to work or pay his bills in retirement. Joe Six Pack thinks government collection of "metadata" is over his head and doesn't give two shits about it.

Joe Six Pack believes in having his gun. Let the government listen to his phone calls, but if he tries to take away his ability to defend himself, they should plan for return fire. Joe Six Pack believes in low taxes and less government intrusion, because the government sucks at just about everything.

Joe Six Pack believes in tangible threats to his person, his family, and his ability to make something for himself. Government surveillance of his phone call to check up on his mom is not tangible. This is an issue for the minority of tech people trying to do things under the government radar; it doesn't concern Joe Six Pack.

At some point Slashdot readers need to realize that in the standard distribution of American citizens and their values, Slashdot readers are not the median. They are the left tail end. The median folks don't care much about the values that you all think are universal, and as proponents of those values most Slashdot readers do a pretty poor job of communicating to the median of folks and convincing them of the importance of these issues.

Yeah, isn't it funny how some people pretend to care about the constitution and rights, but actually only care about the 2nd amendment? Isn't it funny how people can be so profoundly ignorant as to believe that mass government surveillance is unimportant or even acceptable?

"The government is 100% incompetent and often malicious, but hey, why not let them spy on my communications? What could go wrong!?"

Yeah, isn't it funny how some people pretend to care about the constitution and rights, but actually only care about the 2nd amendment? Isn't it funny how people can be so profoundly ignorant as to believe that mass government surveillance is unimportant or even acceptable?

"The government is 100% incompetent and often malicious, but hey, why not let them spy on my communications? What could go wrong!?"

I find it funny people think the other way. Gun rights are a Constitutional right; clearly defined. Collection of meta-data on the internet which is semi-public is not so clear. And yet those opposed to government surveillance seem to be very ant-gun rights, anti-NRA etc.

But I find your post pointless because you divert from the point, ask a question and then fail to answer it. Why is mass government surveillance important or unacceptable? Why should it be important to, say, a 65 year old retiree who u

Why is mass government surveillance important or unacceptable? Why should it be important to, say, a 65 year old retiree who uses the internet to see pictures of their grandkids on Facebook, occasional internet research about knitting or woodcrafting, and emailing their other retired friends to meet up?

Why is it so important to the government that they collect all available online and phone information about this 65 year old retiree in the first place?

We disagree about the constitutionality of mass government surveillance. There is no point to collecting the massive amount of data the government is collecting unless they are planning to use it. Right? Otherwise, it's just a big waste of time and money. The only practical way to use such a large amount of data is to perform a search against it, looking fo

Your points are well made and well taken. Rest assured they do not fall on deaf ears. Please allow me to respond.

1). As you seem very knowledgeable about the legal justifications for mass surveillance, you are almost certainly aware that there are opposing legal opinions regarding the constitutionality of these programs. Federal judge Richard Leon, for instance, ruled that mass data collection was "likely unconstitutional" and expressed doubt regarding the central rationale for the program - that it is nece

Most of the people I know that are pro-2nd amendment, are pro all-the-amendments and find this online collection thing horrible as well. There is a difference between not liking something and not supporting it, and being able to stop it. I wouldn't make such blatant assumptions of some groups of people, as you could possibly be attributing helplessness with apathy.

If you are going to make blanket statements about people on this topic, I would suggest you point over to the actual "apathy" crowd as not c

Well, I will content that pro-gun rights groups are more vocal about the 2nd than others, but I think a lot of that comes down to the fact, that in most cases, the 2nd is one of the more important ones. Not that the others are less important, but that the 2nd is there as a last means to protect the other amendments. If it comes down to it, and the gov tries to nullify the other amendments, the 2nd is the only one that has teeth enough (ie: real force) to do anything about it.

Yet people tolerate the TSA, unfettered border searches, free speech zones, DUI checkpoints, stop-and-frisk, etc. All of those things affect people in the physical world, and yet nothing much is done about them. I would honestly like it if lots of people actually cared about freedom and the constitution, but that sadly does not seem to be the case.

Why not have favorite parts of the Constitution to care about? Personally, I'm not all that fond of the 2nd Amendment, but I'm even less fond of seeing Constitutional rights eroded, so I'm not a fan of gun control. Were there no Constitutional guarantee of the right to bear arms, I might well be a gun control supporter.

Well, use Joe Sixpack as your shield. As long as they get data from him, they are complacent and satisfied that they get enough data. Educate Joe Sixpack and the stream of data will dwindle to a trickle and they'll start using more invasive means to gather data.

Sorry to say it, but the days when I try to educate the masses are over. I use them as a shield for my privacy nowadays.

The problem with blanket surveillance is it encourages a wide range of people to look for ways round it - which later can be used by "the usual suspects" to cover up their drug trafficking, terrorism, and pedophile rape gangs. We would be much better off just monitoring the undesirables

So, clicking on that 'learn more' link at the top of the page puts Trend Micro into an uproar that "yourbrowser.net" is:

Details: Verified fraud page or threat sourceSuspected fraud page or threat sourceAssociated with spam or possibly compromisedRating in progress. Trend Micro Web Reputation is currently set to block pages that have not been checked for safety.

Yeah the U.S. is relatively benign right now, butt, let the economy go south and see if they are so friendly and honorable. it's clear to all but the blind, deaf, and comatose that the State is hardening their facilities and forces...WITH OUR MONEY!!!
Gird Nerds, the ride is just beginning.

Yeah at times it looks like they follow Orwell and Huxley like a playbook.

One of their best old tricks is Divide and Rule, where you get half of thepopulation mad at the other half and whip them into a frenzy withbroadsheets in the old days, and the "Project Mockingbird" mediain the modern day.

"Mass surveillance is inevitable to any industrialized country. Which is why all countries with any technological sophistication have it. To think that one can 'fight' it to any real degree is like thinking one can 'fight' indoor plumbing or mass electrification."

Sad, but true. Still, political plays a role in the outcome of all this in terms of what sort of world we want to build together.

Actually they merely keep a file on you, and they are glad that you break there rulesbecause if you ever become a problem for one of their pet projects then out comesyour file and you get a visit from them.

I don't agree with everything Ms. Rand said, but this one fits...

“There's no way to rule innocent men. The only power any government has is the power to crack down on criminals.Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that itbecomes

For the anti-surveillance advocates who are enjoying the rise of their viewpoint in the polls, consider this: a single terrorist attack on U.S. soil could easily tilt the polls the other way and land us in a worse surveillance state than we have now. Be careful what you ask for.

Probably always going to be true, and there really isn't much to be done. Funny how people in "the land of the free and the home of the brave" don't want to be free or brave if they believe not being those things will keep them safe.

I'm very surprised to see that the article and all posts fail to mention TOR.

TOR may not be perfect, but it's a lot better than any readily available alternative. I'd suggest using it for any browsing you think might be the least bit controversial. The more people that use TOR, the better it works. It's a bit slow, but it's livable.

TOR is a hard target, and unless there's some reason to go after you individually already, you'll almost certainly be secure using it. The TOR developers are constantly working to make it better as well.

As far as security goes I would not be shocked if more intense spying is not applied to individuals who take precautions against being spied upon. Look at it from a law enforcement view or national security point of view. We can name one fellow Joe and another fellow Sam for purposes of demonstration. Suppose Joe is seen to use strong encryption, avoids using smart phones or cell phones, pays cash always and quietly rents a room from a private home owner. That alone may send out signals that Joe needs a hard look. Sam on the other hand is welded to his smart phone, never even uses a password and is wide open to scrutiny in every area of his life. Guess which one will attract interest. Sam's flaws are known. Sam's negatives match the negatives of almost all people in the area. Joe, conversely, seems to have no flaws and no real data points in the system. Any smart agent or cop will want to find ways to define Joe and frankly it won't take much effort at all. In the past very unlikely people were employed as agents. A man might make progress with a very pretty, very pretty, young girl who he would never suspect is employed by the police department as a professional spy. But these days tiny cams and recording devices are rather easy to insert into a suspicious person's environment. I have seen this stuff in action and knew a young girl who worked in a spy like capacity for the cops. She was inserted in a community and under the age of twenty and played the role of a hippie like youth in rebellion which in fact she sort of was. But her pay check was through her spying efforts.

As far as security goes I would not be shocked if more intense spying is not applied to individuals who take precautions against being spied upon.

The solution for that is strong encryption for everyone, transparently, and by default.

The things I most want kept private the governemt already knows about - my identifying information, drivers' license info, social security number, tax records, bank account numbers, etc. The things you can use to steal my identity and/or money. When I use encryption it is to keep that information from criminals, and it is entirely rational to do so.

The day the government decides the use of security tools is only to hide b

Sounds like chunks of themes ripped from the Fourth Realm series by John Twelve Hawks. Being off the grid is one thing, but also randomizing your choices helps another. Working with maps of CCTV to find alternative routes, and providing the double work of having 'usable' profiles to hide behind.

Figure out what can alert the watchers without getting into trouble, and compare notes and discuss in forums on Tinternet.Make sport out of the watchers by seeing what you can figure out about them simply by provoking unnecessary reactions.Read The Art of War and study Tai Chi (properly, not just as a spaced-out eastern arm-waving exercise, but as the study of super-efficient movement and coordination -- though that can take a decade or so just to get the basics half-right).

I'm not sure how #1 is a reason. The pervasiveness of the internet is not in itself a problem, any more than air being everywhere is a problem. Show me how the pervasiveness is an issue.

# 2 is weak; it talks about what could happen, rather than what is likely to happen. I understand that when arguing against something, if the outcome of letting that thing happen is catastrophic, that will determine how convincing the argument is, but I prefer to look at

In 2002, Wired Magazine questioned whether TrustE could be trusted, noting that rather than revoking privacy seals for violations, "Truste officials often seemed to be covering for their clients".[23]In 2008, a Galexia Consulting study reported that TrustE had terminated only one customer for non-compliance in the previous eleven years, despite a number of significant privacy violations which had received press coverage. "The mo